This morning, I blogged about a bug that EFF discovered in the Mediamax spyware that Sony includes on 50 of the CDs it releases in Canada and the US. EFF got Sony to release a bug-fix for it, but it turns out that the uninstaller leaves your computer more insecure than the bug!
Sony seems incapable of writing programs to uninstall the malicious software it secretly installs on your computer when you play its CDs (Mediamax installs on your PC even if you decline the agreement and eject the CD). Sony also seems incapable of producing a DRM system that doesn't contain rootkits, spyware, and/or security vulnerabilities. The combination is deadly.
# SonyBMG has released a patch that purports to fix the problem. However, our tests show that the patch is insecure. It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch.
# The previously released MediaMax uninstaller is also insecure in the same way, allowing an adversary to booby-trap files so that hostile software is run automatically when you try to use the uninstaller.
Previous installments of the Sony Rootkit Roundup: Part I, Part II, Part III, Part IV
(Cool Sony CD image courtesy of Collapsibletank)
